‘Gaping security holes’ in millions of AT&T modems, researchers claim

A security research firm claims to have found “gaping security flaws” in most AT&T U-verse cable modems — you know, the type used by most every AT&T customer to get online. The flaws could potentially allow a remote attacker to access the modem that serves as the gateway to the internet for an entire household. With that kind of access, the kind of havoc that could be wreaked is really just limited to the hacker’s imagination.

“It is uncertain whether these gaping security holes were introduced by Arris (the OEM) or if these problems were added after delivery to the ISP (AT&T U-verse). From examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should),” a Nomotion engineer wrote in a blog outlining the flaw.

“Some of the problems discussed here affect most AT&T U-verse modems regardless of the OEM, while others seem to be OEM specific. So it is not easy to tell who is responsible for this situation. It could be either, or more likely, it could be both,” he continued. “Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case.”

AT&T did not immediately return a request for comment on the accuracy of the security firm’s findings, or explain what concerned customers can do, short of smashing their modem with a baseball bat and hiding in a lead-lined basement.